Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H because exploitation requires intimate knowledge and total control of the tunnel protocol; network-reachable with availability-only impact, so C:N/I:N/A:H.
Primary rating from Vendor (Absolute).
CVSS VectorVendor: Absolute
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
CVE-2026-33445 is a memory management vulnerability in Secure Access servers prior to 14.55. Attackers with an intimate knowledge of and total control over the tunnel protocol can create a persistent DoS against the server.
AnalysisAI
Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows a remote attacker with deep, low-level command of the tunnel protocol to corrupt server-side memory management and keep the server down. The flaw carries a CVSS 4.0 base score of 8.7 driven entirely by an availability (VA:H) impact, with no confidentiality or integrity consequence. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to have, per the vendor description, 'intimate knowledge of and total control over the tunnel protocol' - meaning the ability to craft and drive arbitrary Secure Access tunnel-protocol exchanges, not merely send generic network traffic. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H) rates this network-reachable, unauthenticated, and low-complexity, yielding 8.7 (High) with pure availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who understands the Absolute Secure Access tunnel protocol at a low level connects to an internet-facing server and drives the tunnel into a crafted state that trips the memory-management fault, leaving the server hung or crashed and unable to serve legitimate remote users until manual intervention. Because the failure is persistent rather than transient, a single successful attempt can cause a sustained outage. … |
| Remediation | Upgrade Absolute Secure Access servers to version 14.55 or later, which is the vendor-released patch (affected = prior to 14.55); consult the advisory at https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33445 for the exact build and upgrade guidance. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Absolute Secure Access deployments running versions before 14.55, categorize by business criticality, and initiate vendor contact to determine patch timeline. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Secure Access
View allLocal privilege escalation in Absolute Secure Access for Windows (client and server) before version 14.55 allows a low-p
Memory management vulnerability in Absolute Secure Access server versions 9.0 through 13.54 that allows unauthenticated,
Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthentica
Persistent denial-of-service in Absolute Secure Access servers before version 14.55 allows an authenticated tunnel parti
Buffer overflow in Absolute Secure Access server (versions before 14.50) allows authenticated remote attackers with modi
Non-persistent denial-of-service against Absolute Secure Access servers prior to version 14.55 is achievable by an attac
Memory management flaw in Absolute Secure Access prior to version 14.55 allows a remote attacker with deep protocol know
Heap overflow in Absolute Security Secure Access client certificate parsing causes a local denial of service. Versions p
Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks
CVE-2025-54088 is an open-redirect vulnerability in Secure Access prior to version 14.10. Attackers with access to the c
There is a cross-site scripting vulnerability in the Secure Access administrative UI of Absolute Secure Access prior to
There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prio
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44801